05-08-2017 12:47 AM - edited 02-21-2020 09:16 PM
Hi,
I'm configuring a IPSEC IKEv2 VPN in the lab in order to test functionality and after looking for it a couple of days I cannot find how to remove an user from the VPN so he can not login again.
In order to create the user i follow this :
crypto key generate rsa general modulus 4096 exportable label user@example.com
!
!output shorted
!
crypto pki authenticate user@example.com
crypto pki enroll user@example.com
!
exit
show crypto pki server ca-server requests
crypto pki server ca-server grant 1
crypto pki export user@example.com pkcs12 usbflash0:/user.pfx password <password>
!
crypto key zeroize rsa user@example.com
no crypto pki trustpoint user@example.com
Connection is working fine but as i said i want to know the way to remove users.
Thanks in advance.
Solved! Go to Solution.
05-08-2017 06:13 PM
Sounds like you are trying to revoke a certificate so when i client tries to connect with a revoked cert the authentication will fail, if that is the case you can use the following command:
crypto pki server cs-label revoke certificate-serial-number Example: Device# crypto pki server mycs revoke 3 |
Revokes a certificate on the basis of its serial number. |
You can also take a look to the following link:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/15-mt/sec-pki-15-mt-book/sec-cfg-mng-cert-serv.html#GUID-EBB14F31-5117-4C7D-8ADF-D0108C690418
Hope this info helps!!
Rate if helps you!
-JP-
05-08-2017 06:13 PM
Sounds like you are trying to revoke a certificate so when i client tries to connect with a revoked cert the authentication will fail, if that is the case you can use the following command:
crypto pki server cs-label revoke certificate-serial-number Example: Device# crypto pki server mycs revoke 3 |
Revokes a certificate on the basis of its serial number. |
You can also take a look to the following link:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/15-mt/sec-pki-15-mt-book/sec-cfg-mng-cert-serv.html#GUID-EBB14F31-5117-4C7D-8ADF-D0108C690418
Hope this info helps!!
Rate if helps you!
-JP-
05-10-2017 03:05 AM
Hi JP,
Thanks for the answer but unfortunately after revoking it, clear crypto session and configure • crypto ikev2 disconnect-revoked-peers the computer is still able to connect.
This sound strange to me as if the certificate is revoked the client shouldn't be able to connect.
Thanks,
05-10-2017 07:37 PM
Hi Saul,
Try getting the following debugs:
debug cry pki messages
debug cry pki transactions
Hope this info helps!!
Rate if helps you!
-JP-
05-11-2017 06:37 AM
Hi JP,
Here is the debug:
VPN#crypto pki server ca-server revoke 0x5
May 11 15:35:06.975: CRYPTO_CS: Current crl loaded in memory..
SEQ(623)
SEQ(89)
SEQ(13)
OID(9):SHA Signature 1.2.840.113549.1.1.5
NULL
END
SEQ(20)
SET(18)
SEQ(16)
OID(3):Common Name 2.5.4.3
PRT(9):ca-server
END
END
END
UTC(13):170511150505Z
UTC(13):170511210505Z
SEQ(20)
SEQ(18)
INT(1):4
UTC(13):170511150505Z
END
END
END
SEQ(13)
OID(9):SHA Signature 1.2.840.113549.1.1.5
NULL
END
BIT(512<-0>):
00 B0 41 48 9E 71 2A A5 C7 74 25 D2 2E 0B 4D 4F
07 5B 4A A0 98 43 66 1C 2E 4D 8A FA 8D AC CF 86
12 D7 A6 D0 09 D0 87 CD D0 8D 3A 46 EA 8C 11 02
05 71 9F 10 C8 B6 0E D5 41 D6 A1 DD 75 EF 0F 4B
C0 7D 43 63 45 44 E4 2E F3 61 3F F3 60 BD 19 BA
EF F9 18 96 84 7D 2B 1E 0E 48 51 AA D7 B9 6F 5C
07 3A 3C 23 46 04 A6 B6 A4 B7 B9 C9 66 45 D7 7A
B5 10 FA D7 9B 6C CC 01 D4 D9 E5 0C 88 77 36 16
5C 6E 57 7A 68 56 DE 7D 8B FD 42 4D 95 16 91 5F
6D 4A 23 EB F8 80 2B 57 E4 2E 0F 73 DD
% Certificate 05 succesfully revoked.
VPN#DC AE 81
7B 8D 85 87 49 DE B2 6D 20 8B 60 CD 00 5C 5B 0C
AA BA CC 6D 5C 3A 27 3C CD A0 C7 3D CD 8D EB CB
B5 90 6D C6 62 4E 45 9B D0 59 26 9E 00 BA 6F EE
76 CA 8A 86 84 DF 55 A0 D5 4A 07 A1 1E D6 CA 85
02 0F DE 30 7A 5E 48 09 DD 50 6F BE E9 B4 11 F1
90 58 B4 5B F7 80 52 B2 A5 04 57 6E 6A D7 CC 28
90 51 6E 6C B0 BC CF A3 A1 61 32 4C 45 4D C6 0B
85 5B B7 2B BF CA 1E 8B 9D 69 48 B6 1D 8B AA 66
AE 17 DF 52 BB C3 00 5A E4 A9 DF F8 48 97 92 FD
8E FD C1 04 80 DC 79 70 8A 5A 5F 0A AE 84 63 5F
3F 2A A6 0D 91 67 1B AE 7E DD B5 DC 8C 88 15 7E
5E 77 6F D9 3D DF B1 FF FB 6B AB E0 5A FB 43 4F
22 BD EF 6B F9 A7 B9 16 5A 08 7A C0 C7 9D 7F 63
C5 B9 0B 7D 35 01 5D 41 42 C6 C1 DF 5F FF 25 B0
43 B7 CC 42 5C 56 19 43 23 19 F9 C2 66 92 C6 0B
53 95 9E 37 84 D5 70 CD E0 02 EB A4 ED 9E 16 B6
1C F3 4E 87 07 D0 40 63 D0 AB E8 51 AB 0D 4B AA
BC 6F 88 8C E5 31 74 19 87 7F 9A 05 3D FF 0A 5E
1F 0B 97 F6 BD 49 1C B7 D0 A2 13 77 85 80 4D DD
EE 20 A0 E9 87 EE 16 66 34 3B F6 AE EB 1B 6D AA
B9 32 E5 70 D9 A7 E3 AA 98 4B D8 9F 9B 6A C2 34
1F D2 2A 2B F7 BF 73 AE 90 17 63 01 77 33 10 9E
38
END
May 11 15:35:09.359: CRYPTO_CS: updated crl in memory ..
SEQ(643)
SEQ(109)
SEQ(13)
OID(9):SHA Signature 1.2.840.113549.1.1.5
NULL
END
SEQ(20)
SET(18)
SEQ(16)
OID(3):Common Name 2.5.4.3
PRT(9):ca-server
END
END
END
UTC(13):170511153506Z
UTC(13):170511213506Z
SEQ(40)
SEQ(18)
INT(1):4
UTC(13):170511150505Z
END
SEQ(18)
INT(1):5
UTC(13):170511153506Z
END
END
END
SEQ(13)
OID(9):SHA Signature 1.2.840.113549.1.1.5
NULL
END
BIT(512<-0>):
00 A9 3B 05 2A 36 63 D9 F3 A6 6C 7D 08 7D 77 52
C0 C5 E1 0F 43 52 27 A1 A9 11 B5 49 C6 6A 77 BB
64 8B D8 62 62 B1 18 E9 A8 EB 6B 57 A9 FC B5 D6
75 65 43 BF 23 B9 9D 09 24 68 EF BB 96 73 09 4F
80 4B 45 80 01 54 FC 24 E0 D5 84 01 99 57 A9 7A
77 B0 C6 EF F4 55 F7 BE 94 81 10 20 20 D7 70 A0
35 B9 2A 4C 60 89 B5 9D AB 1E 0C A2 2E C3 71 5C
0F FA FB A2 B2 0A FC 11 38 FF 6E 5F 6B 46 E3 06
76 7F 07 41 4B DD 9F CA 68 69 19 DE E6 DE 11 E4
49 0F 6F 4D 69 D0 E2 86 7E 90 08 5C 18 61 49 67
51 D9 A4 8F C2 ED A4 FD 87 F3 4D 76 9B C0 9D A1
13 C9 F3 6F 4E A2 84 B2 A8 D2 07 64 99 19 70 A5
4D 02 A9 CA 1D 46 BC 0F 4B D1 85 5D A4 1C C4 70
F3 B9 B5 E0 77 A7 07 24 04 38 E5 F1 DB E0 EB 18
70 D8 9A 7A 41 FC 57 83 BB E7 62 1C 6B C1 51 4D
2C FA 69 B7 E7 E1 6A A1 AD 3A FB 47 09 21 23 20
86 AA 1E 1E 3E 6D 0A D8 2C F2 33 BA 16 BD 19 11
E4 CB 2D 5B A8 32 9F 58 7A 0C 91 03 39 4F BC 2B
1F 84 36 68 FA 96 36 A2 8E D8 6C 17 C6 98 4C 52
1F 6B BA 21 B6 D3 58 DC 45 99 FC F1 98 65 02 DD
11 C6 F2 FB 78 8A 8A 49 C6 90 D3 2A FD 4B 0B 0D
08 F9 31 D8 FE 74 BE 13 1A 58 04 C5 6B DF 17 9A
E0 98 43 EA DF 2D CA 55 3E DA 1F 36 9E DA 5E CE
63 22 DD 71 0A 85 6F 32 E0 45 F4 E9 90 F7 AC EE
E0 69 DD 7E 64 57 F8 1B 57 97 BC 91 F8 BF 19 69
08 EF 32 9E 9E 9D AB BC D1 68 D2 77 12 07 23 D7
24 9F 16 FC AA 04 F9 0C 3F B5 5C 3A 44 8D 6F 79
00 DC 67 75 8F 71 E4 A4 42 8D 75 11 3B DF 8F 9C
B5 E0 4F 4D 65 78 44 C3 1E A7 97 C1 BC BD 6F 33
EB 89 DE 95 80 0B A3 16 16 CD 36 DB 25 9F 5D 93
F3 68 51 B6 98 50 12 5E A1 FC 94 16 DF 3B FB 38
F6 C4 21 FD 11 55 2E 9E 1B 71 8C 6F F2 0A FD BC
66
END
VPN#clear crypto session
VPN#
May 11 15:35:36.227: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to down
May 11 15:35:36.247: CRYPTO_PKI: Initializing renewal timers
May 11 15:35:36.247: PKI:get_cert router 0x10 (expired=0):
VPN#
VPN#
VPN#
CRYPTO_PKI: found no hash match
May 11 15:35:50.895: CRYPTO_PKI: (A0009) Session started - identity not specified
May 11 15:35:51.739: CRYPTO_PKI: locked trustpoint router, refcount is 1
May 11 15:35:51.739: CRYPTO_PKI: Identity bound (router) for session A0009
May 11 15:35:51.739: CRYPTO_PKI: Added x509 peer certificate - (1297) bytes
May 11 15:35:51.743: CRYPTO_PKI: Added x509 peer certificate - (1290) bytes
May 11 15:35:51.743: CRYPTO_PKI: create new ca_req_context type PKI_VERIFY_CHAIN_CONTEXT,ident 7
May 11 15:35:51.743: CRYPTO_PKI: (A0009)validation path has 1 certs
May 11 15:35:51.743: CRYPTO_PKI: Found a issuer match
May 11 15:35:51.743: CRYPTO_PKI: (A0009) Using router to validate certificate
May 11 15:35:51.743: CRYPTO_PKI: Added 1 certs to trusted chain.
May 11 15:35:51.743: CRYPTO_PKI: Prepare session revocation service providers
May 11 15:35:51.743: CRYPTO_PKI: Deleting cached key having key id 34
May 11 15:35:51.743: CRYPTO_PKI: Attempting to insert the peer's public key into cache
May 11 15:35:51.743: CRYPTO_PKI:Peer's public inserted successfully with key id 35
May 11 15:35:51.775: CRYPTO_PKI: Expiring peer's cached key with key id 35
May 11 15:35:51.775: CRYPTO_PKI: (A0009) Starting CRL revocation check
May 11 15:35:51.775: CRYPTO_PKI: Deleting cached key having key id 35
May 11 15:35:51.775: CRYPTO_PKI: Attempting to insert the peer's public key into cache
May 11 15:35:51.775: CRYPTO_PKI:Peer's public inserted successfully with key id 36
May 11 15:35:51.803: CRYPTO_PKI: Expiring peer's cached key with key id 36
May 11 15:35:51.803: CRYPTO_PKI: Revocation check is complete, 0
May 11 15:35:51.803: CRYPTO_PKI: Revocation status = 0
May 11 15:35:51.803: CRYPTO_PKI: Remove session revocation service providers
May 11 15:35:51.803: CRYPTO_PKI: Remove session revocation service providers
May 11 15:35:51.803: CRYPTO_PKI: (A0009) Certificate validated
May 11 15:35:51.803: CRYPTO_PKI: Populate AAA auth data
May 11 15:35:51.803: CRYPTO_PKI: Unable to get configured attribute for primary AAA list authorization.
May 11 15:35:51.803: CRYPTO_PKI: (A0009)chain cert was anchored to trustpoint router, and chain validation result was: CRYPTO_VALID_CERT
May 11 15:35:51.803: CRYPTO_PKI: destroy ca_req_context type PKI_VERIFY_CHAIN_CONTEXT,ident 7
May 11 15:35:51.803: CRYPTO_PKI: (A0009) Validation TP is router
May 11 15:35:51.859: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to down
May 11 15:35:51.863: CRYPTO_PKI: Initializing renewal timers
May 11 15:35:51.863: PKI:get_cert router 0x10 (expired=0):
May 11 15:35:54.239: CRYPTO_PKI: Rcvd request to end PKI session A0009.
May 11 15:35:54.239: CRYPTO_PKI: PKI session A0009 has ended. Freeing all resources.
May 11 15:35:54.239: CRYPTO_PKI: unlocked trustpoint router, refcount is 0
May 11 15:35:54.243: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up
VPN#
Thanks for the time you're taking to help me.
05-15-2017 05:27 AM
Hi JP,
Finally i manage to deauthenticate users following this steps:
Next time user try to connect its not allowed and this log is showed in the router:
May 15 14:21:56.851: %PKI-6-PKI_CRL_DOWNLOADED: CRL download notification sent for Issuer = cn=ca-server.
May 15 14:21:56.883: %PKI-3-CERTIFICATE_REVOKED: Certificate chain validation has failed. The certificate (SN: 05) is revoked
Thanks for your help.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: